SlideShare ist ein Scribd-Unternehmen logo

Leveraging Log Management to provide business value

Enterprise Technology Management (ETM)
Enterprise Technology Management (ETM)
1 von 13
Downloaden Sie, um offline zu lesen
Leveraging Log Management to provide business value The importance of consolidation, correlation, and detection Enterprise Series White Paper 8815 Centre Park Drive Published: August 17, 2009 Columbia MD 21045 877.333.1433
Abstract Despite the obvious benefits of Log Management and its increasing recognition as a critical necessity by the IT organization, Log Management is still viewed by Executives and Senior Management as a tactical effort, an item on a checklist that addresses a specific set of requirements, typically related to compliance or security. However by taking a broader approach, Log Management becomes not only the foundation for complying with multiple requirements and improving enterprise security, but also provides significant business value in the form of increased business agility, smoother IT operations and business processes, enhanced communication and collaboration between teams, and reduced costs The information contained in this document represents the current view of Prism Microsystems Inc. (Prism) on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism. Prism cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2009 Prism Microsystems Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Leveraging Log Management to provide business value The Log Management Challenge In a typical enterprise, millions of logs are generated by systems, applications and devices every single day. These logs contain a record of all activity that takes place in a network and provide a wellspring of information to help improve security, enable compliance and optimize IT operations. However, gaining any actionable intelligence from this data depends on how well you can collect, consolidate, store and decipher the information that event logs contain, which is no easy task to do manually given the following constraints: Collection As a result of regulatory requirements, companies have to, at a bare minimum, collect and archive all log data from a number of devices and device types ranging from network and security devices to operating systems, databases, applications and web logs. Considering that in most companies the number of devices that generate event logs are in the hundreds or thousands, and that each device can generate millions of logs every single day, simply keeping up with the staggering volume can be a challenge. There is also the challenge of establishing reliability for audit purposes; to demonstrate that logs were collected in a secure manner. Storage In order to facilitate review, many compliance mandates require log data to be stored securely for on-demand retrieval and historical analysis. • The NIST guide for HIPAA requires that logs be maintained for 6 years at a minimum • Section 103 of Sarbanes Oxley requires that “information related to any audit report, in sufficient detail to support the conclusions reached in such report” be maintained for 7 years. • Section 10.7 of The PCI data security standard requires covered entities to retains audit trail data for at leat one year with a minimum of 3 months online availability. • In addition, the Graham-Leach-Bliley Act, the SANS Institute and various other best practices recommend that logs and documentation be kept for a varying number of years. Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many Prism Microsystems, Inc. 3
Leveraging Log Management to provide business value UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database. Analysis Analysis remains the third major challenge. The fact is that different devices generate logs in a distinct, inconsistent and often cryptic format that is difficult to analyze without in-depth system specific expertise. Also, many of the conditions that indicate issues can only be detected when events are correlated or associated with events happening on other systems and devices. If caught in time, these signs can alert personnel to take necessary actions before security is compromised. Moreover, this analysis needs to be done in real-time for immediate insight into unusual and suspicious user/network activity – a task that is impossible to do manually, unless of course, a company has an army of IT experts at its disposal 24/7. Prism Microsystems, Inc. 4
Leveraging Log Management to provide business value The case for automated Log Management It is no wonder that IT managers who grasp the importance of event log data still find the entire task of event log management a difficult challenge. That’s where SIEM (Security Information and Event Management) or Log Management solutions come in. An automated solution will address the challenges outlined in the previous section and help organizations cost effectively collect, archive, correlate and analyze enterprise-wide log data for security investigation and compliance reporting. . Traditional drivers: Compliance and Security A Log Management solution is typically implemented for one or more of the following reasons: a) To comply and prove compliance Log management is typically considered a security best practice, however, a number of regulations such as SOX, HIPAA, PCI, GLBA and FISM specifically call for the collection, storage, regular review and analysis of log data. Log Management solutions help companies wade through the often vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive Log Management solution helps you: • Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports • Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies • Comply with a variety of regulatory standards spanning multiple verticals b) To detect and prevent and security breaches Event logs from firewalls, routers, systems and applications provide valuable clues about the state of a company’s overall security posture. The really important clues, however, are often very hard to detect and sometimes can only be extracted after viewing series of events on Prism Microsystems, Inc. 5
Leveraging Log Management to provide business value multiple systems in context. Log Management solutions come with powerful correlation capabilities that look for patterns of events taking place across the entire enterprise to detect abnormal activity that may be indicative of an attack in progress. These solutions help you: • Detect and prevent damage from Zero-Day and other new forms of attack vectors • Monitor user activity and USB device usage for unauthorized internal access to sensitive data • Monitor networks for suspicious activity that often precedes a security breach • Create customized correlation rules to detect common and critical security conditions in real-time. • React quickly and early to suspicious activity with instant alerts and automatic remediation for proactive prevention c) To conduct forensic investigations on security incidents Log Management solutions support forensic investigations by providing a complete audit trail of forensically clean data leading up to an attack. Logs can be used to establish a timeline of events, which can be used to piece together what went wrong, giving a detailed perspective of what happened, so that steps can be taken to ensure that it does not happen again. Leveraging Log Management beyond the security organization Beyond security and compliance, Log Management can be applied across the IT organization to increase the efficiency of IT operations, primarily through increased visibility into enterprise-wide activity. Log Management solutions not only help in maintaining the IT infrastructure in optimal shape but also enable planning for future requirements by monitoring disk space trends, CPU usage trends and service downtime. By alerting on trends that indicate resource issues such as low disk space, runaway processes, high-memory usage, etc. an event log management solution significantly improves IT availability by reducing unplanned outages, while at the same time reducing the total cost of ownership of the IT infrastructure. Log Management solutions: • Automate routine tasks and decrease dependence on existing resources • Enable IT staff to quickly diagnose issues before they escalate into costly disruptions • Accelerate troubleshooting times • Free up personnel to do more productive tasks Prism Microsystems, Inc. 6
Leveraging Log Management to provide business value Generating business value from Log Management From the applications of Log Management detailed above, the business value that Log Management solutions provide is apparent. Automation of regulatory processes, improved efficiency of forensic investigations, increased troubleshooting turnaround times and a better security posture are some of the most important benefits that an organization gains with the proper implementation of a log management solution. There are also several lesser known benefits of Log Management that can provide tremendous business value by addressing critical management areas: Increased agility In these tough economic times, the margin for business error is very slim. When services are IT dependent, unexpected performance issues and security breaches can severely impact a company’s competitiveness. In addition, lost business and revenue opportunities can result if, for instance, an order taking system goes down, or if customers are unable to contact you. An effective log management solution increases your business and IT agility by allowing you to quickly respond to unexpected situations and problems before performance is affected or revenue is lost. Business process improvement Considering that logs are records of what a system does minute by minute, the right log management solution can provide a detailed understanding of most aspects of a business, from how consumers use systems to purchase goods, to identifying operational bottlenecks, to tracking resource utilizations. The insight that log data provides into business operations, can help you measure and optimize critical processes. Prism Microsystems, Inc. 7
Leveraging Log Management to provide business value Business risk mitigation A security breach can cause long-term damage to corporate reputation. The negative press resulting from loss of sensitive customer data such as credit card information or social security numbers can not only create customer distrust and subsequently impact sales and revenue, but also hinder business relationships and partnerships. On the other hand, the direct costs associated with clean-up activities after a security incident can also be substantial. Large fines as a result of non-compliance, identity protection services offered to affected customers, litigation fees, and civil lawsuits can all add up to a significant chunk of money. Log Management solutions substantially reduce the risks and costs associated with security breaches by proactively detecting patterns indicative of a breach and enabling personnel to perform remediation activities before costly damage is caused. Enhanced team communication and collaboration IT typically operates through specialized teams to manage security threats, optimize network performance and enable compliance. These groups deploy point products within each of their areas to meet their independent requirements, and while this approach is beneficial for addressing department-specific objectives, it creates silos of data that hinder cross- departmental collaboration and decision making. Log Management solutions enable cross- functional communication and information sharing by seamlessly weaving together information on all IT assets into an integrated framework that provides intelligence and insight into enterprise-wide activity for effective decision making. Increased management visibility Executive Management benefits from dashboards and reports that provide visibility into cross-departmental activities such as operational and security metrics, corporate governance, and regulatory initiatives. Summary reports and analysis capabilities allow them to make a quick assessment of progress and get an overview of the overall IT posture. Prism Microsystems, Inc. 8
Leveraging Log Management to provide business value Reduced costs Log Management solutions accelerate the time to identifying critical security and performance issues to significantly reduce costs associated with service disruptions, security breaches and non-compliance. With the automation of compliance processes and predefined reports, the costs associated with preparing for audits and remaining in compliance are also significantly reduced. In addition, Log Management solutions help increase service levels without increasing staff and reduce burdens on existing resources by automating routine tasks. In times of tightening budgets and staff cuts, Log Management helps companies do more with less by addressing multiple requirements across departments. Prism Microsystems, Inc. 9
Leveraging Log Management to provide business value Conclusion Log Management solutions although typically deployed to meet very specific requirements, have benefits that extend far beyond department level objectives. With the insight that log data provides into enterprise-wide IT, a growing number of constituents can benefit from a solution that automates the collection, consolidation and analysis of this data – these range from audit and compliance groups, security teams, IT operations and Helpdesk teams to legal teams (for forensic investigation), senior management and CIO’s. Prism Microsystems, Inc. 10
Leveraging Log Management to provide business value About EventTracker EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach. The original log data is also securely stored in a highly compressed event repository for compliance purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and more); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection , Change Monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution. EventTracker provides the following benefits • A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. • Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured (Sealed with SHA-1 checksum) archive that is limited only by the amount of available disk storage. • Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. • Alerting interface that generates custom alert actions via email, pager, console message, etc. Prism Microsystems, Inc. 11
Leveraging Log Management to provide business value • Event correlation modules to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. • Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. • Host-based Intrusion Detection (HIDS). • Role-based, secure event and reporting console for data analysis. • Change Monitoring on Windows machines • USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. • Built-in compliance workflows to allow inspection and annotation of the generated reports. Prism Microsystems, Inc. 12
Leveraging Log Management to provide business value About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism’s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute’s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/. Prism Microsystems, Inc. 13

Empfohlen

Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecDr. Maceo D. Wattley
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not EnoughTripwire
 

Empfohlen

Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecDr. Maceo D. Wattley
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not EnoughTripwire
 
GDPR
GDPRGDPR
GDPRRajivarnan R
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business CaseEnterprise Technology Management (ETM)
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)Peter Tutty
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015n|u - The Open Security Community
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Large scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log miningLarge scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log miningitstuff
 
Monitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagiosMonitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagiosLindsay Holmwood
 

Weitere ähnliche Inhalte

Was ist angesagt?

ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)Peter Tutty
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015n|u - The Open Security Community
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

Was ist angesagt? (20)

GDPR
GDPRGDPR
GDPR
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security Framework
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 

Andere mochten auch

Large scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log miningLarge scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log miningitstuff
 
Monitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagiosMonitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagiosLindsay Holmwood
 
Click Log Mining CS598
Click Log Mining CS598Click Log Mining CS598
Click Log Mining CS598Shih-Wen Huang
 
A heuristic approach for web log mining using bayesian networks
A heuristic approach for web log mining using bayesian networksA heuristic approach for web log mining using bayesian networks
A heuristic approach for web log mining using bayesian networksAlexander Decker
 
Behaviour Driven Monitoring with cucumber-nagios
Behaviour Driven Monitoring with cucumber-nagiosBehaviour Driven Monitoring with cucumber-nagios
Behaviour Driven Monitoring with cucumber-nagiosLindsay Holmwood
 

Andere mochten auch (7)

Large scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log miningLarge scale Click-streaming and tranaction log mining
Large scale Click-streaming and tranaction log mining
 
Monitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagiosMonitoring web application behaviour with cucumber-nagios
Monitoring web application behaviour with cucumber-nagios
 
Click Log Mining CS598
Click Log Mining CS598Click Log Mining CS598
Click Log Mining CS598
 
Storage managment using nagios
Storage managment using nagiosStorage managment using nagios
Storage managment using nagios
 
A heuristic approach for web log mining using bayesian networks
A heuristic approach for web log mining using bayesian networksA heuristic approach for web log mining using bayesian networks
A heuristic approach for web log mining using bayesian networks
 
Behaviour Driven Monitoring with cucumber-nagios
Behaviour Driven Monitoring with cucumber-nagiosBehaviour Driven Monitoring with cucumber-nagios
Behaviour Driven Monitoring with cucumber-nagios
 
Log Data Mining
Log Data MiningLog Data Mining
Log Data Mining
 

Ähnlich wie Leveraging Log Management to provide business value

Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsAnton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsAnton Chuvakin
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSridhar Karnam
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and ComplianceAnton Chuvakin
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016SteveAtHPE
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
GDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation ChecklistGDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation ChecklistNetworkIQ
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
Why Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfWhy Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfaotmp2600
 

Ähnlich wie Leveraging Log Management to provide business value (20)

Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security Compliance
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFix
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
GDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation ChecklistGDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation Checklist
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Why Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfWhy Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdf
 

Mehr von Enterprise Technology Management (ETM)

The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...Enterprise Technology Management (ETM)
 
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTH
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTHImplementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTH
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTHEnterprise Technology Management (ETM)
 
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentMicrosoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentEnterprise Technology Management (ETM)
 

Mehr von Enterprise Technology Management (ETM) (18)

The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compli...
 
IMPROVING ORDER-TO-CASH CYCLE.
IMPROVING ORDER-TO-CASH CYCLE.IMPROVING ORDER-TO-CASH CYCLE.
IMPROVING ORDER-TO-CASH CYCLE.
 
The future of Finance
The future of FinanceThe future of Finance
The future of Finance
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
 
Optimizing the Cloud Infrastructure for Enterprise Applications
Optimizing the Cloud Infrastructure for Enterprise ApplicationsOptimizing the Cloud Infrastructure for Enterprise Applications
Optimizing the Cloud Infrastructure for Enterprise Applications
 
Managing The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New ChallengesManaging The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New Challenges
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
 
Is Outsourcing Right for You?
Is Outsourcing Right for You?Is Outsourcing Right for You?
Is Outsourcing Right for You?
 
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTH
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTHImplementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTH
Implementation Brief Active Endpoints’ ActiveVOS BPMS - ENABLING DYNAMIC GROWTH
 
Whitepaper- Real World Search
Whitepaper- Real World SearchWhitepaper- Real World Search
Whitepaper- Real World Search
 
Liwp consider opensource2010
Liwp consider opensource2010Liwp consider opensource2010
Liwp consider opensource2010
 
Ibm social commerce_whitepaper
Ibm social commerce_whitepaperIbm social commerce_whitepaper
Ibm social commerce_whitepaper
 
Cloud view platform-highlights-web3
Cloud view platform-highlights-web3Cloud view platform-highlights-web3
Cloud view platform-highlights-web3
 
10 obvious statements about software configuration and change
10 obvious statements about software configuration and change10 obvious statements about software configuration and change
10 obvious statements about software configuration and change
 
Don't let wireless_detour_your_pci_compliance
Don't let wireless_detour_your_pci_complianceDon't let wireless_detour_your_pci_compliance
Don't let wireless_detour_your_pci_compliance
 
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentMicrosoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
 
Kickfire: Best Of All Worlds
Kickfire: Best Of All WorldsKickfire: Best Of All Worlds
Kickfire: Best Of All Worlds
 

Leveraging Log Management to provide business value

  • 1. Leveraging Log Management to provide business value The importance of consolidation, correlation, and detection Enterprise Series White Paper 8815 Centre Park Drive Published: August 17, 2009 Columbia MD 21045 877.333.1433
  • 2. Abstract Despite the obvious benefits of Log Management and its increasing recognition as a critical necessity by the IT organization, Log Management is still viewed by Executives and Senior Management as a tactical effort, an item on a checklist that addresses a specific set of requirements, typically related to compliance or security. However by taking a broader approach, Log Management becomes not only the foundation for complying with multiple requirements and improving enterprise security, but also provides significant business value in the form of increased business agility, smoother IT operations and business processes, enhanced communication and collaboration between teams, and reduced costs The information contained in this document represents the current view of Prism Microsystems Inc. (Prism) on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism. Prism cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2009 Prism Microsystems Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  • 3. Leveraging Log Management to provide business value The Log Management Challenge In a typical enterprise, millions of logs are generated by systems, applications and devices every single day. These logs contain a record of all activity that takes place in a network and provide a wellspring of information to help improve security, enable compliance and optimize IT operations. However, gaining any actionable intelligence from this data depends on how well you can collect, consolidate, store and decipher the information that event logs contain, which is no easy task to do manually given the following constraints: Collection As a result of regulatory requirements, companies have to, at a bare minimum, collect and archive all log data from a number of devices and device types ranging from network and security devices to operating systems, databases, applications and web logs. Considering that in most companies the number of devices that generate event logs are in the hundreds or thousands, and that each device can generate millions of logs every single day, simply keeping up with the staggering volume can be a challenge. There is also the challenge of establishing reliability for audit purposes; to demonstrate that logs were collected in a secure manner. Storage In order to facilitate review, many compliance mandates require log data to be stored securely for on-demand retrieval and historical analysis. • The NIST guide for HIPAA requires that logs be maintained for 6 years at a minimum • Section 103 of Sarbanes Oxley requires that “information related to any audit report, in sufficient detail to support the conclusions reached in such report” be maintained for 7 years. • Section 10.7 of The PCI data security standard requires covered entities to retains audit trail data for at leat one year with a minimum of 3 months online availability. • In addition, the Graham-Leach-Bliley Act, the SANS Institute and various other best practices recommend that logs and documentation be kept for a varying number of years. Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many Prism Microsystems, Inc. 3
  • 4. Leveraging Log Management to provide business value UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database. Analysis Analysis remains the third major challenge. The fact is that different devices generate logs in a distinct, inconsistent and often cryptic format that is difficult to analyze without in-depth system specific expertise. Also, many of the conditions that indicate issues can only be detected when events are correlated or associated with events happening on other systems and devices. If caught in time, these signs can alert personnel to take necessary actions before security is compromised. Moreover, this analysis needs to be done in real-time for immediate insight into unusual and suspicious user/network activity – a task that is impossible to do manually, unless of course, a company has an army of IT experts at its disposal 24/7. Prism Microsystems, Inc. 4
  • 5. Leveraging Log Management to provide business value The case for automated Log Management It is no wonder that IT managers who grasp the importance of event log data still find the entire task of event log management a difficult challenge. That’s where SIEM (Security Information and Event Management) or Log Management solutions come in. An automated solution will address the challenges outlined in the previous section and help organizations cost effectively collect, archive, correlate and analyze enterprise-wide log data for security investigation and compliance reporting. . Traditional drivers: Compliance and Security A Log Management solution is typically implemented for one or more of the following reasons: a) To comply and prove compliance Log management is typically considered a security best practice, however, a number of regulations such as SOX, HIPAA, PCI, GLBA and FISM specifically call for the collection, storage, regular review and analysis of log data. Log Management solutions help companies wade through the often vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive Log Management solution helps you: • Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports • Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies • Comply with a variety of regulatory standards spanning multiple verticals b) To detect and prevent and security breaches Event logs from firewalls, routers, systems and applications provide valuable clues about the state of a company’s overall security posture. The really important clues, however, are often very hard to detect and sometimes can only be extracted after viewing series of events on Prism Microsystems, Inc. 5
  • 6. Leveraging Log Management to provide business value multiple systems in context. Log Management solutions come with powerful correlation capabilities that look for patterns of events taking place across the entire enterprise to detect abnormal activity that may be indicative of an attack in progress. These solutions help you: • Detect and prevent damage from Zero-Day and other new forms of attack vectors • Monitor user activity and USB device usage for unauthorized internal access to sensitive data • Monitor networks for suspicious activity that often precedes a security breach • Create customized correlation rules to detect common and critical security conditions in real-time. • React quickly and early to suspicious activity with instant alerts and automatic remediation for proactive prevention c) To conduct forensic investigations on security incidents Log Management solutions support forensic investigations by providing a complete audit trail of forensically clean data leading up to an attack. Logs can be used to establish a timeline of events, which can be used to piece together what went wrong, giving a detailed perspective of what happened, so that steps can be taken to ensure that it does not happen again. Leveraging Log Management beyond the security organization Beyond security and compliance, Log Management can be applied across the IT organization to increase the efficiency of IT operations, primarily through increased visibility into enterprise-wide activity. Log Management solutions not only help in maintaining the IT infrastructure in optimal shape but also enable planning for future requirements by monitoring disk space trends, CPU usage trends and service downtime. By alerting on trends that indicate resource issues such as low disk space, runaway processes, high-memory usage, etc. an event log management solution significantly improves IT availability by reducing unplanned outages, while at the same time reducing the total cost of ownership of the IT infrastructure. Log Management solutions: • Automate routine tasks and decrease dependence on existing resources • Enable IT staff to quickly diagnose issues before they escalate into costly disruptions • Accelerate troubleshooting times • Free up personnel to do more productive tasks Prism Microsystems, Inc. 6
  • 7. Leveraging Log Management to provide business value Generating business value from Log Management From the applications of Log Management detailed above, the business value that Log Management solutions provide is apparent. Automation of regulatory processes, improved efficiency of forensic investigations, increased troubleshooting turnaround times and a better security posture are some of the most important benefits that an organization gains with the proper implementation of a log management solution. There are also several lesser known benefits of Log Management that can provide tremendous business value by addressing critical management areas: Increased agility In these tough economic times, the margin for business error is very slim. When services are IT dependent, unexpected performance issues and security breaches can severely impact a company’s competitiveness. In addition, lost business and revenue opportunities can result if, for instance, an order taking system goes down, or if customers are unable to contact you. An effective log management solution increases your business and IT agility by allowing you to quickly respond to unexpected situations and problems before performance is affected or revenue is lost. Business process improvement Considering that logs are records of what a system does minute by minute, the right log management solution can provide a detailed understanding of most aspects of a business, from how consumers use systems to purchase goods, to identifying operational bottlenecks, to tracking resource utilizations. The insight that log data provides into business operations, can help you measure and optimize critical processes. Prism Microsystems, Inc. 7
  • 8. Leveraging Log Management to provide business value Business risk mitigation A security breach can cause long-term damage to corporate reputation. The negative press resulting from loss of sensitive customer data such as credit card information or social security numbers can not only create customer distrust and subsequently impact sales and revenue, but also hinder business relationships and partnerships. On the other hand, the direct costs associated with clean-up activities after a security incident can also be substantial. Large fines as a result of non-compliance, identity protection services offered to affected customers, litigation fees, and civil lawsuits can all add up to a significant chunk of money. Log Management solutions substantially reduce the risks and costs associated with security breaches by proactively detecting patterns indicative of a breach and enabling personnel to perform remediation activities before costly damage is caused. Enhanced team communication and collaboration IT typically operates through specialized teams to manage security threats, optimize network performance and enable compliance. These groups deploy point products within each of their areas to meet their independent requirements, and while this approach is beneficial for addressing department-specific objectives, it creates silos of data that hinder cross- departmental collaboration and decision making. Log Management solutions enable cross- functional communication and information sharing by seamlessly weaving together information on all IT assets into an integrated framework that provides intelligence and insight into enterprise-wide activity for effective decision making. Increased management visibility Executive Management benefits from dashboards and reports that provide visibility into cross-departmental activities such as operational and security metrics, corporate governance, and regulatory initiatives. Summary reports and analysis capabilities allow them to make a quick assessment of progress and get an overview of the overall IT posture. Prism Microsystems, Inc. 8
  • 9. Leveraging Log Management to provide business value Reduced costs Log Management solutions accelerate the time to identifying critical security and performance issues to significantly reduce costs associated with service disruptions, security breaches and non-compliance. With the automation of compliance processes and predefined reports, the costs associated with preparing for audits and remaining in compliance are also significantly reduced. In addition, Log Management solutions help increase service levels without increasing staff and reduce burdens on existing resources by automating routine tasks. In times of tightening budgets and staff cuts, Log Management helps companies do more with less by addressing multiple requirements across departments. Prism Microsystems, Inc. 9
  • 10. Leveraging Log Management to provide business value Conclusion Log Management solutions although typically deployed to meet very specific requirements, have benefits that extend far beyond department level objectives. With the insight that log data provides into enterprise-wide IT, a growing number of constituents can benefit from a solution that automates the collection, consolidation and analysis of this data – these range from audit and compliance groups, security teams, IT operations and Helpdesk teams to legal teams (for forensic investigation), senior management and CIO’s. Prism Microsystems, Inc. 10
  • 11. Leveraging Log Management to provide business value About EventTracker EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach. The original log data is also securely stored in a highly compressed event repository for compliance purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and more); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection , Change Monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution. EventTracker provides the following benefits • A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. • Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured (Sealed with SHA-1 checksum) archive that is limited only by the amount of available disk storage. • Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. • Alerting interface that generates custom alert actions via email, pager, console message, etc. Prism Microsystems, Inc. 11
  • 12. Leveraging Log Management to provide business value • Event correlation modules to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. • Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. • Host-based Intrusion Detection (HIDS). • Role-based, secure event and reporting console for data analysis. • Change Monitoring on Windows machines • USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. • Built-in compliance workflows to allow inspection and annotation of the generated reports. Prism Microsystems, Inc. 12
  • 13. Leveraging Log Management to provide business value About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism’s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute’s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/. Prism Microsystems, Inc. 13